Every breach report for the last decade has started the same way. Someone clicked a link. It is not because users are careless. It is because phishing is a volume game played against defences that mostly rely on the user noticing something is off.
The attacks are not cleverer. They are better targeted.
The phishing emails that actually succeed in 2026 do not come from a Nigerian prince. They come from “Microsoft Security” at 9:03 on a Monday morning, quoting your exact email address, asking you to re-authenticate to Office 365. The link goes to a domain that looks right. The login page looks right. And if you have not enforced phishing-resistant MFA, it works.
Worse still, AI has industrialised the spear-phish. Generating a convincing message in someone’s tone of voice now takes thirty seconds, not thirty minutes. Your CEO’s “urgent invoice approval” email really does look like your CEO wrote it.
What stops it, in order of impact
Phishing-resistant MFA. SMS codes are dead. An attacker who captures your password in a phishing form can sit in the middle and capture the code too. Move to authenticator apps with number matching, FIDO2 keys for admins, or Windows Hello for Business. All three genuinely stop the session-hijack phish.
Conditional access. If sign-in from an unknown device in a new country triggers a risk signal, block it. Entra ID conditional access does this. Most M365 Business Premium tenants have it licensed and switched off.
Impersonation protection. Microsoft Defender for Office 365 will flag messages that look like they are from protected users but are not. It catches the “hi, it’s the CEO, please send me gift cards” class of attack. Turn it on.
External sender banners. A simple yellow banner on every external email is one of the highest-ROI controls we know. It is free. Most tenants do not have it.
DMARC, DKIM, SPF. Not because your inbound is affected, but because attackers love spoofing your domain outbound at your suppliers. Get to p=reject within 90 days.
Training and simulations. Short, frequent, real. Not the annual hour of compliance video. Simulated phishing every month, with a friendly five-minute follow-up for anyone who clicks. The click rate drops fast.
What does not work
Telling users to “be more careful”. We have never seen that as the finding of a breach investigation.
Perfect email filtering. You will always miss a percentage. Assume email will get through, and build the rest of the layers behind it.
Blocking domains after the attack. Attackers burn domains in hours. By the time you block one, the next is in flight.
The honest position
You will not stop every phish. You can stop every phish from becoming a breach. MFA, conditional access, impersonation protection, and a SOC watching for the sign-in anomalies. That is the stack. It is boring, well understood, and it works.
We run this stack for dozens of UK businesses. If yours is missing any of the four, let us show you what a Huntress-monitored tenant actually looks like.